CIS CSC #10 – Data Recovery Capabilities

I am working on a series of posts related to the Center for Internet Security (CIS) Critical Security Controls (CSCs). See the full listing here.

The processes and tools used to properly back up critical information with a proven methodology for timely recovery of it.

This control includes five (5) sub controls. For those of you reviewing the CIS Controls with the Implementation Groups in mind, there are four (4) IG1 controls and five (5) IG2 controls. This means that, at a minimum, we want to:

Ensure that all system data is automatically backed up on a regular basis.

Ensure that all of the organization’s key systems are backed up as a complete system, through processes such as imaging, to enable the quick recovery of an entire system.

Ensure that backups are properly protected via physical security or encryption when they are stored, as well as when they are moved across the network. This includes remote backups and cloud services.

Ensure that all backups have at least one offline (i.e., not accessible via a network connection) backup destination.

If you work in an industry with any sort of regulatory oversight, you likely have requirements that cover at least two of the bullets above already in place. On top of regulatory requirements, there have been enough ransomware headlines in the news to get just about everyone onboard with performing data backups, and hopefully storing those backups offline with appropriate physical security. This is often accomplished by encrypting the backup media, but can also be addressed by adequate physical security controls protecting the backup storage site – the depth of these physical controls should match the sensitivity of the data, not all data needs the Fort Knox level protections.

The one IG1 control that is most likely to cause troubles during implementation is the second bullet – ensuring the backups are of the complete system, not just the critical data. Most enterprise-grade tools will make this easier by implementing an incremental backup process. This allows you to take a single full system snapshot with the first backup, then each future backup only captures changes from the last backup. This makes the file size of backups much smaller, meaning the backup completes quicker, but can complicate the restoration process. Commercial tools should aid in this restoration process by performing periodic full backups to reduce the number of incremental backups required to restore on any given day.

I find it funny to look at the one control left out of IG1:

Test Data on Backup Media

If I were calling the shots, I would put this control ahead of the of offline storage. The intent behind an offline backup is avoiding both instances where an attacker is in the network and is able to compromise the production environment, as well as the backups ensuring they maintain access, as well as avoiding issues like the WannaCry worm where the malware could propagate to other file shares, placing the backup files at risk of encryption. There is an inherent assumption that the backups will be usable, but are not tested to confirm that assumption. The likelihood of a wormable attack, or other attacker on the network seems to be much lower than something like a failed hard drive or accidental deletion of a file.